global
    log /dev/log    local0
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    user haproxy
    group haproxy
    daemon
    debug

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/certs

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL).
    ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL

defaults
    log     global
    option dontlognull           #Disable logging of null connections as these can pollute the logs
    option redispatch           # Enable session redistribution in case of connection failure, which is important in a HA environment
    option tcp-smart-accept     # Performance tweak, saving one ACK packet during the accept sequence
    option tcp-smart-connect    # Performance tweak, saving of one ACK packet during the connect sequence

    # Setting timeouts
    timeout connect       2m
    timeout client        2m
    timeout server        2m
    retries           5

    timeout http-request     2m    # Slowloris protection
    timeout tarpit        2m     # tarpit hold time
    timeout queue         2m
    backlog        10000

# host webpage 
frontend ft_http
    bind :80
    mode tcp
    tcp-request inspect-delay 2s
    tcp-request content accept if HTTP
    tcp-request content accept if { req.ssl_hello_type 1 }
    acl to_ssh payload(0,7) -m bin 5353482d322e30
    acl to_ssh payload(1,7) -m bin 5353482d322e30
    use_backend bk_ssh if to_ssh
    default_backend bk_web_http
    
# https webpage , ssh and vpn
frontend ft_https
    bind :443
    mode tcp
    tcp-request inspect-delay 3s
    tcp-request content accept if HTTP
    tcp-request content accept if { req.ssl_hello_type 1 }
    acl to_ssh payload(0,7) -m bin 5353482d322e30
    acl to_ssh payload(1,7) -m bin 5353482d322e30
    use_backend bk_ssh if to_ssh

    #acl to_web req_ssl_sni -i web.example.com
    #acl to_web req_ssl_sni -i example.com
    #acl to_web req_ssl_sni -i register.example.com
    #use_backend bk_https_web if to_web
    
    #acl to_openvpn req_ssl_sni -i openvpn.example.com
    #acl to_openvpn req_ssl_sni -i ChangeMe
    #acl to_openvpn ssl_fc_cipher -i AES-256-CBC
    #acl to_openvpn req_ssl_ver 3.3
    #acl to_openvpn ssl_c_s_dn(cn) -i client
    #acl to_openvpn ssl_c_s_dn(cn) -i ChangeMe
    #acl to_openvpn ssl_c_s_dn(cn) -i server
    #use_backend bk_openvpn if to_openvpn
    
    acl to_vpn req_ssl_sni -i secure.example.com
    acl to_vpn req_ssl_sni -i vpn.example.com
    acl to_vpn path_beg -i /vpnsvc/
    acl to_vpn path_beg -i /vpnsvc
    acl to_vpn ssl_fc_cipher -i AES-128-CBC
    acl to_vpn ssl_fc
    use_backend bk_softe if to_vpn   
    default_backend bk_softe

#frontend https-loop
#   bind :8443 ssl crt /etc/haproxy/certs
#   mode http
#   default_backend bk_web_http
    
backend bk_ssh
    mode tcp
    server ssh 127.0.0.1:22
    timeout server 15m
    option tcpka

backend bk_softe
    mode tcp
    server softe 127.0.0.1:5555
    timeout server 5m
    option tcpka

backend bk_squid
    mode tcp
    server squid 127.0.0.1:3128
    timeout server 4m
    option tcpka

#backend bk_openvpn
    #mode tcp
    #server openvpn 127.0.0.1:1195
    #timeout server 4m
    #option tcpka

#backend bk_https_web
    #mode tcp
    #server ssl-loopback 127.0.0.1:8443

backend bk_web
    mode tcp
    server web 127.0.0.1:8081

backend bk_web_http
    mode http
    server web 127.0.0.1:8081
